System Updates

Minor updates and code changes occur every day. Only significant or noteworthy updates are shown here. Updates shown with a gold background are (or were at the time) only available to Advanced HOPS members.

You are NOT currently subscribed to HOPS compliance system updates. More info

You are NOT currently subscribed to HOPS retail system updates. More info

Recent HOPS Updates Recent Retail System Updates Future Updates Search Results

Time Date	System Updates
Update 1344 24 November 2025	Multi-factor Authentication (MFA) is now available to all users in HOPS Multi-factor Authentication (MFA) is now available to all users in HOPS. MFA provides an extra layer of security on your HOPS account by requiring users to present multiple credentials, or factors, when logging in. Practically, this will be something users know (their password) and something they have (e.g. an authenticator app running on a smartphone). Requiring multiple factors makes it much harder for another person to login to a HOPS account maliciously, even if they steal a password. This helps to keep everyone's personal data secure. Thank you our test guinea pigs for providing useful feedback on this facility. For a user to enable MFA, they click the avatar in the top right corner of HOPS and select 'My HOPS Account'. Then scroll down the page to Multi-Factor Authentication, and follow the prompts to set it up. (Note passkeys is not yet available.) For more details, a help page about MFA, with a link to TOTP, is available here: https://www.hops.org.uk/help/mfa (The passkeys page is not yet published so that link does not go anywhere for the moment.) -- Permission 545 is now available if you wish to enforce MFA to any users. It is recommended that this is assigned via groups (as with all permissions), ie make it a requirement 'that the Loco Manager uses MFA', rather than 'that Bob uses MFA'. The permission does not do anything else or allow access to anything, it is just a means of enforcing MFA for certain groups/users via an existing and well-known mechanism. HOPS will enforce MFA on users with permissions 015 (Administer Permissions) and 080 (Admin-login) in the future, so starting to encourage users with those permissions into MFA now is advised to avoid a sudden change when it becomes enforced. Note - as with all permissions changes, permissions are cached for up to 15 minutes. To see an instant change the user will need to either F5 to refresh, or visit the avatar in the top right corner and select 'Refresh Session'. This isn't an absolute requirement, if not done then the requirement for MFA just won't come in to effect for 15 mins. -- FAQs from users: * Do I HAVE to use MFA? At the moment, no. In the not-too-distant future this will change and some users will be required to enrol in MFA. This will be users with high levels of access to personal data in HOPS. Individual railways may also extend to certain other roles or individuals. Your railway will tell you if this is the case. Any user can enrol if they wish to. * What if I don't have a smart phone? Most browsers are able to perform the role of an authenticator, so users without a smart phone can use this on whatever device they do use to browse HOPS. It is recognised that, given the nature of our railway work, there will be a number of senior users who are excellent and their railway skill, but not so comfortable with computer technology, which is why we are introducing this as softly as we can. Unfortunately we can't ignore the accepted industry practice requirement for MFA, so HOPS Admins and local IT Support will be able to help users in using authenticator apps or browser extensions. * I work for more than one railway. Can I use MFA for one and not others? MFA works at an account level (as once you are logged in you can jump between railways), so MFA will apply to your one and only set of user credentials. If you have not joined your accounts then HOPS does not know that you are the same person on two railways, so you could have MFA on one but not the other. Joining accounts is recommended, and means you only need one set of login credentials: https://www.hops.org.uk/help/joining-user-accounts * I sometimes log in on my phone and sometimes on my computer. MFA applies to the HOPS account, so will be required no matter which method is used to log in. This ensures that the protection applies to the whole access to your account, without leaving the door open to abuse on certain devices. If you have any other questions about MFA please speak to your HOPS Admin. --- Thank you to everyone who has taken part in the various trials of MFA and fed back their findings. If anyone has any queries please let us know via a support ticket. If anyone has any queries please let us know via a support ticket.

Time Date

System Updates

Update 1344
24 November 2025

Multi-factor Authentication (MFA) is now available to all users in HOPS

Multi-factor Authentication (MFA) is now available to all users in HOPS.

MFA provides an extra layer of security on your HOPS account by requiring users to present multiple credentials, or factors, when logging in. Practically, this will be something users know (their password) and something they have (e.g. an authenticator app running on a smartphone).

Requiring multiple factors makes it much harder for another person to login to a HOPS account maliciously, even if they steal a password. This helps to keep everyone's personal data secure.

Thank you our test guinea pigs for providing useful feedback on this facility.

For a user to enable MFA, they click the avatar in the top right corner of HOPS and select 'My HOPS Account'. Then scroll down the page to Multi-Factor Authentication, and follow the prompts to set it up.

(Note passkeys is not yet available.)

For more details, a help page about MFA, with a link to TOTP, is available here: https://www.hops.org.uk/help/mfa (The passkeys page is not yet published so that link does not go anywhere for the moment.)

--

Permission 545 is now available if you wish to enforce MFA to any users. It is recommended that this is assigned via groups (as with all permissions), ie make it a requirement 'that the Loco Manager uses MFA', rather than 'that Bob uses MFA'.

The permission does not do anything else or allow access to anything, it is just a means of enforcing MFA for certain groups/users via an existing and well-known mechanism.

HOPS will enforce MFA on users with permissions 015 (Administer Permissions) and 080 (Admin-login) in the future, so starting to encourage users with those permissions into MFA now is advised to avoid a sudden change when it becomes enforced.

Note - as with all permissions changes, permissions are cached for up to 15 minutes. To see an instant change the user will need to either F5 to refresh, or visit the avatar in the top right corner and select 'Refresh Session'. This isn't an absolute requirement, if not done then the requirement for MFA just won't come in to effect for 15 mins.

--

FAQs from users:

* Do I HAVE to use MFA?

At the moment, no.

In the not-too-distant future this will change and some users will be required to enrol in MFA. This will be users with high levels of access to personal data in HOPS. Individual railways may also extend to certain other roles or individuals. Your railway will tell you if this is the case.

Any user can enrol if they wish to.

* What if I don't have a smart phone?

Most browsers are able to perform the role of an authenticator, so users without a smart phone can use this on whatever device they do use to browse HOPS.

It is recognised that, given the nature of our railway work, there will be a number of senior users who are excellent and their railway skill, but not so comfortable with computer technology, which is why we are introducing this as softly as we can. Unfortunately we can't ignore the accepted industry practice requirement for MFA, so HOPS Admins and local IT Support will be able to help users in using authenticator apps or browser extensions.

* I work for more than one railway. Can I use MFA for one and not others?

MFA works at an account level (as once you are logged in you can jump between railways), so MFA will apply to your one and only set of user credentials.
If you have not joined your accounts then HOPS does not know that you are the same person on two railways, so you could have MFA on one but not the other.

Joining accounts is recommended, and means you only need one set of login credentials: https://www.hops.org.uk/help/joining-user-accounts

* I sometimes log in on my phone and sometimes on my computer.

MFA applies to the HOPS account, so will be required no matter which method is used to log in. This ensures that the protection applies to the whole access to your account, without leaving the door open to abuse on certain devices.

If you have any other questions about MFA please speak to your HOPS Admin.

---

Thank you to everyone who has taken part in the various trials of MFA and fed back their findings.

If anyone has any queries please let us know via a support ticket.

If anyone has any queries please let us know via a support ticket.

Generated at 21:12:07 27/11/2025